b'March 5, 2003\nAudit Report No. 03-016\n\n\nThe New Financial Environment\nProject Control Framework\n\n\n\n\n               0\n\x0c                                         TABLE OF CONTENTS\n\n\nBACKGROUND .................................................................................................................................... 1\n\n\nRESULTS OF AUDIT ........................................................................................................................... 3\n\n\nFINDING A: DEFINING AN INTEGRATED CONTROL FRAMEWORK FOR THE\nNEW FINANCIAL ENVIRONMENT ............................................................................................... 4\n\n           Recommendations...................................................................................................................... 5\n\n\nFINDING B: COMMUNICATIONS MANAGEMENT ................................................................. 6\n\n           Recommendation ....................................................................................................................... 7\n\n\nFINDING C: RISK RESPONSE PLANNING ................................................................................. 8\n\n           Recommendations...................................................................................................................... 9\n\n\nCORPORATION COMMENTS AND OIG EVALUATION ......................................................... 9\n\n\nAPPENDIX I: SCOPE AND METHODOLOGY ........................................................................ 11\n\n\nAPPENDIX II: CORPORATION COMMENTS ......................................................................... 12\n\n\nAPPENDIX III: MANAGEMENT RESPONSES TO RECOMMENDATIONS .................... 14\n\x0cFederal Deposit Insurance Corporation                                                                           Office of Audits\nWashington, D.C. 20434                                                                              Office of Inspector General\n\n\n\n   DATE:                                 March 5, 2003\n\n   TO:                                   Fred S. Selby, Director\n                                         Division of Finance\n\n\n\n   FROM:                                 Russell A. Rau\n                                         Assistant Inspector General for Audits\n\n   SUBJECT:                              Audit of the New Financial Environment Project Control\n                                         Framework (Audit Report No. 03-016)\n\n\n   The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\n   completed an audit of the New Financial Environment (NFE) project control framework. This\n   audit is the first in a series of reviews that we intend to conduct at critical milestones or decision\n   points during the development and implementation of the NFE. Prior to this audit, the FDIC OIG\n   performed two limited scope evaluations of the NFE project at the request of FDIC management.1\n    The objective of this audit was to determine whether the FDIC has established a control\n   framework for ensuring the delivery of a quality system that meets corporate requirements and\n   user needs in a timely and cost-effective manner. A detailed discussion of our audit scope and\n   methodology is contained in Appendix I of this report.\n\n   The purpose of this report is to provide observations and recommendations intended to assist in\n   ensuring the success of the NFE project. Providing this information at this point in the project\'s\n   life cycle will afford the FDIC the opportunity to take timely corrective actions.\n\n\n   BACKGROUND\n\n   The NFE project is a major corporate initiative to enhance the FDIC\'s ability to meet current and\n   future financial management and information needs. The project involves implementing a new\n   commercial-off-the-shelf (COTS) software package to replace the FDIC\'s current core financial\n   systems, which are based on the Walker Interactive Systems, Inc.\'s Tamris software products.\n   The project also involves extensive re-engineering of the FDIC\xe2\x80\x99s business practices. The FDIC\n   considers the re-engineering of its business practices to be a critical factor in achieving the\n   1\n       The first report, entitled The New Financial Environment Project, dated December 7, 2001 (Evaluation Report No.\n       01-004), assessed the reasonableness of the NFE cost-benefit analysis and the financial systems architecture. The\n       second report provided observations on selected procedures and documents related to the NFE Request for\n       Proposal.\n\x0cexpected benefits of NFE and avoiding the high maintenance costs associated with software\ncustomization.\n\nIn July 2000, the FDIC\'s Division of Finance (DOF) formed a project team to evaluate the FDIC\'s\ncurrent and emerging financial needs and recommend alternative solutions. On\nDecember 10, 2001, the FDIC\'s Board of Directors approved contract expenditure authority for\nthe NFE project totaling approximately $28.8 million.2 The FDIC executed a multi-year contract\nwith Accenture, LLP (Accenture) on October 1, 2002, to replace its core financial systems with\nPeopleSoft Financials. The contract contained a 4-year base period not-to-exceed approximately\n$26 million. The Division of Information Resources Management (DIRM) is responsible for\ncontract oversight. The FDIC plans to implement accounts payable, accounts receivable, general\nledger, budget, procurement, treasury management, reporting, and portions of the cost\nmanagement modules on July 1, 2004. Enhanced cost management functionality is scheduled for\nimplementation in 2005.\n\nKey to the success of any large and complex project, such as NFE, is implementing effective\nmanagement controls early in the project\'s life cycle. Such controls include both day-to-day\nmanagement of the project, such as scope, schedule, and cost controls, as well as controls that\nreflect the broader environment in which the project operates, such as ensuring the project is\neffectively coordinated with other related organizational projects. All of these controls\ncollectively comprise a project control framework.\n\nThe Project Management Institute (PMI)3 has conducted extensive research and analysis in the\nfield of project management and published a standards guide in 2000, entitled A Guide to the\nProject Management Body of Knowledge (PMBOK\xc2\xae Guide). The PMBOK\xc2\xae Guide documents\nproven practices, tools, and techniques that have become generally accepted4 in the field of\nproject management, including information systems development and implementation. The\nPMBOK\xc2\xae Guide is an approved standard of both the American National Standards Institute and\nthe Institute of Electrical and Electronics Engineers. The PMBOK\xc2\xae Guide identifies nine\ndistinct knowledge areas associated with successful project management. The nine areas are as\nfollows:\n\n\xe2\x80\xa2     Integration Management: The processes that ensure various elements of a project are\n      properly coordinated. It consists of project plan development and execution and integrated\n      change control.\n\xe2\x80\xa2     Scope Management: The processes that ensure a project includes all of the work required,\n      and only the work required, to complete the project successfully. It consists of initiation and\n      scope planning, definition, verification, and change control.\n\n\n\n2\n    At the time the Board case was approved, the FDIC estimated the total life cycle cost of the NFE, including FDIC\n    staff time, to be approximately $62.5 million over 8 years.\n3\n    PMI was established in 1969 as a not-for-profit project management professional association. PMI has over 95,000\n    members in 125 countries worldwide.\n4\n    The PMBOK\xc2\xae Guide defines the term "generally accepted" as being applicable to most projects, most of the time,\n    and having widespread consensus regarding value and usefulness.\n\n\n\n                                                          2\n\x0c\xe2\x80\xa2   Time Management: The processes that ensure timely completion of a project. It consists of\n    activity definition, sequencing, and duration estimating as well as schedule development and\n    schedule control.\n\xe2\x80\xa2   Cost Management: The processes that ensure a project is completed within the approved\n    budget. It consists of resource planning and cost estimating, cost budgeting, and cost control.\n\xe2\x80\xa2   Quality Management: The processes that ensure a project will satisfy the needs for which it\n    was undertaken. It consists of quality planning, assurance, and control.\n\xe2\x80\xa2   Human Resource Management: The processes that make the most effective use of the\n    people involved with a project. It consists of organizational planning, staff acquisition, and\n    team development.\n\xe2\x80\xa2   Communications Management: The processes that ensure timely and appropriate\n    generation, collection, dissemination, storage, and ultimate disposition of project information.\n     It consists of communications planning, information distribution, performance reporting, and\n    administrative closure.\n\xe2\x80\xa2   Risk Management: The processes concerned with identifying, analyzing, and responding to\n    project risk. It consists of risk management planning, risk identification, qualitative and\n    quantitative risk analysis, risk response planning, and risk monitoring and control.\n\xe2\x80\xa2   Procurement Management: The processes related to acquiring goods and services from\n    outside the organization. It consists of procurement and solicitation planning, solicitation,\n    source selection, contract administration, and contract closeout.\n\nWe used the PMBOK\xc2\xae Guide, in conjunction with other government and industry guidance, as\nthe primary criteria for auditing the establishment of NFE project controls. Although the FDIC is\nnot required to comply with the PMBOK\xc2\xae Guide, we used the guide as criteria because it\ncontains sound and prudent practices related to successful project management.\n\nRESULTS OF AUDIT\n\nThe FDIC established key controls for ensuring the delivery of a quality system that meets\ncorporate requirements and user needs in a timely and cost-effective manner as described in the\nnine areas of the PMBOK\xc2\xae Guide. However, improvement is needed in three of the nine\nPMBOK\xc2\xae areas (integration management, communications management, and risk management).\n Specifically, the FDIC had not formally defined an integrated control framework for the NFE\nproject. Without an integrated control framework, it will be difficult for the FDIC to ensure\naccountability and a corporate approach on the project (See Finding A: Defining an Integrated\nControl Framework for the New Financial Environment). The FDIC can also improve\ncommunications management on the project. Without effective communications management,\nthe FDIC runs the risk that critical project information will not be provided to all NFE\nstakeholders for decision-making in a timely manner (See Finding B: Communications\nManagement). Finally, the FDIC can improve its risk response planning for the NFE project.\nWithout such improvements, the NFE project team may be inadequately prepared for a significant\nrisk event, potentially increasing the impact of the risk (See Finding C: Risk Response\nPlanning).\n\n\n\n\n                                                 3\n\x0c                                 FINDINGS AND RECOMMENDATIONS\n\nFINDING A: DEFINING AN INTEGRATED CONTROL FRAMEWORK FOR THE\nNEW FINANCIAL ENVIRONMENT\n\nThe FDIC established key controls for ensuring the success of the NFE project, such as a steering\ncommittee to manage and oversee the project, planning documents to track the project\'s progress,\nand a risk manager to identify, evaluate, and mitigate project risks. However, the FDIC had not\nfully defined the NFE control framework. Specifically, the FDIC had not documented an overall\nframework explaining the roles, relationships, and reporting structures among key project players,\nsuch as the NFE Steering Committee, project sub-groups, Capital Investment Review Committee\n(CIRC), and senior management officials. In addition, the FDIC had not developed and approved\na charter for the NFE Steering Committee defining its responsibilities, membership, and operating\nguidelines, although this committee began meeting in August 2000. The NFE Steering\nCommittee is a critical control for ensuring effective coordination and integration on the project.\nThe NFE project team postponed defining a control framework for the NFE or completing a\nsteering committee charter until the implementation phase of the project, when the team could\nobtain input from Accenture on how these controls should be defined. Absent a formally defined\ncontrol framework, it will be difficult for the FDIC to ensure accountability and a corporate\nperspective on the project.\n\nThe PMBOK\xc2\xae Guide stresses the need to identify, assign, and document clear roles,\nresponsibilities, and reporting structures for individuals and groups associated with a project in\nthe earliest phases of the project\'s life cycle. The Guide also describes how project management\nprocesses and plans can be effectively integrated. The FDIC recently took a formal approach to\npromote integration on its Enterprise Architecture (EA)5 project. In December 2002, senior FDIC\nmanagement formally approved an EA Blueprint document describing how the EA project is\nstructured and how EA products and processes are managed from a corporate perspective. The\nEA Blueprint document included formal charters for each of the EA committees.\n\nSimilarly, formally defining all of the critical controls established for the NFE project and\ndocumenting how these controls interrelate will promote accountability on the project and\nstrengthen management of the project from a corporate perspective. Ensuring a corporate\nperspective for the NFE is especially important in light of the re-engineering of financial and non-\nfinancial business processes that will take place on the project and the extensive coordination that\nwill be required across the FDIC\'s divisions and offices.\n\n\n\n\n5\n    An EA is an institutional systems blueprint that defines in both business and technological terms an organization\xe2\x80\x99s\n    current and target operating environments and how the organization will transition between the two.\n\n\n\n                                                            4\n\x0cRecommendations\n\nWe recommend that the Director, DOF, in conjunction with the NFE project team:\n\n(1)    Develop and approve a charter for the NFE Steering Committee that defines, at a\n       minimum, its responsibilities, membership, and operating guidelines.\n\n(2)    Document an integrated control framework that explains, at a minimum, the roles,\n       relationships, and reporting structures among key project players on the NFE project.\n\n\n\n\n                                               5\n\x0cFINDING B: COMMUNICATIONS MANAGEMENT\n\nSince its inception in July 2000, the NFE project team has developed a number of channels for\ndisseminating information about the project throughout the Corporation and continued to refine\nthese channels on an ongoing basis. For example, the project team provided project status reports\nand periodic briefings to senior FDIC managers and corporate committees and promoted\nawareness of the project through the NFE Web site and FDIC News. However, communications\nmanagement could be improved. The NFE project team had not formalized and approved a\nfundamental component of its communications strategy, a communications management plan.6 A\ncommunications management plan had not been completed because the NFE project team and\nAccenture had not completely defined the communications requirements for the project. Without\na formal communications management plan, the FDIC runs the risk that critical project\ninformation will not be provided to all NFE stakeholders for decision-making in a timely manner.\n\nThe PMBOK\xc2\xae Guide states that identifying the information needs of project stakeholders and\ndetermining a suitable means of meeting those needs is an important factor for project success.\nOn most projects, the majority of communications planning is completed during the earliest\nproject phases and reviewed regularly throughout the project. According to the PMBOK\xc2\xae\nGuide, the primary output of communications planning is a communications management plan\nthat documents the methods for gathering, disseminating, updating, and storing project\ninformation. The plan defines who receives what information and the methods for information\ndistribution.\n\nAn April 2002 study conducted by the Chief Financial Officers Council and the Joint Financial\nManagement Improvement Program, entitled Building the Work Force Capacity to Successfully\nImplement Financial Systems, also identifies good communications as a critical success factor in\nfinancial systems implementations. The study states that a management document identifying\ncritical actions and the people responsible for deliverables, and holding parties accountable for\nthose deliverables, is critical to the success of the overall project. The need for effective project\ncommunications was also cited as a lesson learned in a recent DIRM report on FDIC system\ndevelopment efforts.7\n\nAt the time of our audit, the NFE project team and Accenture had already defined many of the\ncomponents necessary for a communications management plan and were working on a draft plan.\n However, according to the NFE project schedule, a communications management plan was to be\ncompleted and approved not later than December 15, 2002. Given the criticality of this important\ndocument, the NFE project team should make completing and approving a communications\nmanagement plan a high priority.\n\n\n\n\n6\n  A communications management plan documents the processes required to ensure timely and appropriate\n  generation, collection, dissemination, storage, and ultimate disposition of project information. It identifies project\n  stakeholders and evaluates their information and communications needs (i.e., who needs what information, when\n  they need it, how it will be provided to them, and who will provide it to them).\n7\n  DIRM report, entitled Post Implementation Review Trends Report, dated May 29, 2002.\n\n\n\n                                                            6\n\x0cRecommendation\n\nWe recommend that the Director, DOF, in conjunction with the NFE project team:\n\n(3)    Promptly complete and approve a formal communications management plan for the NFE\n       project.\n\n\n\n\n                                             7\n\x0cFINDING C: RISK RESPONSE PLANNING\n\nThe NFE project team began assessing NFE risks early in the project\'s life cycle and took steps to\nimprove its risk management8 practices as the project progressed. While these represent positive\nactions, the FDIC could improve its risk response planning. Specifically, the NFE project team\ndid not establish clear measures for determining when project risks categorized as "significant"9\nbecome a reality. In addition, the project team did not develop contingency plans, as appropriate,\nfor significant risks before they occur. Such measures and contingency plans did not exist\nbecause the FDIC\'s risk management practices relative to the NFE project represented a new\napproach to managing risks on corporate IT projects and was evolving. Without clear measures\nfor determining when significant project risks occur and appropriate contingency planning, the\nNFE project team may be required to react to a significant risk event after it happens, potentially\nincreasing the impact of the risk.\n\nThe NFE project team established a risk management process for the NFE project in April 2001\nwhen it completed a formal risk management plan. This process was expanded when the FDIC\ndesignated the Director, Office of Internal Control Management (OICM), as the project\'s risk\nmanager in July 2002. As risk manager for the NFE project, the OICM Director is responsible\nfor administering the NFE risk management plan, identifying, evaluating, and mitigating project\nrisks, and preparing monthly reports to project stakeholders. Using a defined methodology based\non industry and government practice, the OICM identified seven specific risk factors10 related to\nthe NFE project that it classified as "significant." To address these seven significant risk factors,\nthe NFE team developed mitigation plans containing actions that management should take to\nmitigate each risk factor. OICM is responsible for monitoring the implementation of the NFE\nrisk mitigation plans.\n\nSome project risks, such as cost and schedule overruns, cannot be entirely mitigated. For this\nreason, it is important to establish clear thresholds or measures for determining when a significant\nrisk has occurred or is about to occur. It is also important to consider contingency actions in\nadvance, in case a significant risk becomes a reality. The PMBOK\xc2\xae Guide states that risk\ntriggers, sometimes called risk symptoms or warning signs, should be established to indicate that\na risk has occurred or is about to occur. The PMBOK\xc2\xae Guide also states that developing a\ncontingency or fallback plan may be appropriate for some risks, particularly those risks having\npotentially high impact. The most common type of contingency or fallback plans include the\n8\n   The PMBOK\xc2\xae Guide defines risk management as a \xe2\x80\x9csystematic process of identifying, analyzing, and responding\n   to project risk." Risk management includes deciding how to plan a project\'s risk management activities, identifying\n   risks and the measures that determine when a risk is about to occur or has already occurred, and using qualitative\n   and quantitative analysis of risks and their implications on project objectives. Risk management also involves\n   developing procedures to enhance opportunities and reduce threats, such as determining whether risks can be\n   mitigated or a contingency plan is required, as well as ongoing monitoring and control of project risks and results\n   evaluation.\n9\n   The FDIC\xe2\x80\x99s risk management methodology used on the NFE project defines significant risks as having a high or\n   moderate likelihood of occurrence with catastrophic impact on the project or having a high likelihood of occurrence\n   with a critical impact on the project.\n10\n   The seven risk factors are (1) changing requirements, (2) funding estimates are inaccurate, (3) adequate technology\n   is unavailable, (4) significant changes in business practices (workflow), (5) unrealistic project schedule, (6) contract\n   oversight, and (7) simultaneous system development.\n\n\n\n                                                            8\n\x0cestablishment of a contingency allowance or reserve, including amounts of time, money, or\nresources, to account for known risks. Contingencies can also include development of alternative\noptions if a selected project strategy is not effective. This concept of proactive risk response\nplanning is also recognized in the NFE risk management plan, which states "the risk manager will\nidentify and the team will deal with potential problems early and develop contingencies to avoid a\ncrisis environment."\n\nSystem projects may not proceed exactly as originally planned. Effective management of any\nmajor project such as the NFE requires a well thought-out approach to handle significant project\nrisks and a mechanism for addressing those risks. Unless the NFE project team establishes\nspecific measures and contingencies, as appropriate, for risks classified as significant, it may be\nleft to react to these risk events as they occur. Advance contingency planning can greatly reduce\nthe impact of a significant risk should it become a reality on the NFE project.\n\nRecommendations\n\nWe recommend that the Director, DOF, in conjunction with the NFE project team:\n\n(4)    Consult with the NFE risk manager and Accenture to establish clear measures for\n       determining when project risks classified as significant occur or are about to occur.\n\n(5)    Develop contingency plans, as appropriate, for risk factors categorized as significant\n       before they become a reality.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn February 21, 2003, the Director of DOF provided a written response to the draft report\'s\nfive recommendations to enhance and improve the overall project control framework for the\nNFE. DOF concurred with all five recommendations. Corrective action for one\nrecommendation was completed prior to DOF\'s written response. DOF plans to complete\ncorrective actions for the remaining four recommendations by April 15, 2003. The following\nsummarizes DOF\'s response to each recommendation.\n\n(1)    Develop and approve a charter for the NFE Steering Committee that defines, at a\n       minimum, its responsibilities, membership, and operating guidelines.\n\nDOF concurred with the recommendation. In its response, DOF indicated that the Steering\nCommittee membership had been finalized for the implementation phase of the project and that a\nSteering Committee charter was being developed. The estimated completion date for\ndevelopment and approval by DOF of a Steering Committee charter is March 15, 2003.\n\nRecommendation 1 is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\n\n\n\n                                                 9\n\x0c(2)    Document an integrated control framework that explains, at a minimum, the\n       roles, relationships, and reporting structures among key project players on the\n       NFE project.\n\nDOF concurred with the recommendation. In its response, DOF indicated that it is in the process\nof developing a \xe2\x80\x9cproject governance\xe2\x80\x9d document to address the above recommendation and\nidentify other relevant project control documents. The estimated completion date for\ndevelopment and approval of the project governance document by DOF is April 15, 2003.\n\nRecommendation 2 is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\n(3)    Promptly complete and approve a formal communications management plan for\n       the NFE project.\n\nDOF concurred with this recommendation. A communications plan was finalized and accepted\nby the FDIC on January 29, 2003. The OIG confirmed with the contract oversight manager that\nthe communications plan was received and accepted on that date.\n\nRecommendation 3 is resolved, dispositioned, and closed.\n\n(4)    Consult with the NFE risk manager and Accenture to establish clear measures\n       for determining when project risks classified as significant occur or are about to\n       occur.\n\nDOF concurred with this recommendation. In its response, DOF indicated that the NFE team will\nmeet with the NFE risk manager and Accenture to develop appropriate measurement criteria.\nThe estimated completion date for developing and approving the measurement criteria by DOF is\nApril 15, 2003.\n\nRecommendation 4 is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\n(5)    Develop contingency plans, as appropriate, for risk factors categorized as\n       significant before they become a reality.\n\nDOF concurred with this recommendation. In its response, DOF stated that the NFE team is\ndeveloping contingency plans for significant risk areas. The estimated completion date for\ndevelopment and approval of contingency plans by DOF is April 15, 2003.\n\nRecommendation 5 is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\nA summary chart showing management\'s responses to all recommendations is presented in\nAppendix III.\n\n\n\n\n                                              10\n\x0c                                                                                    APPENDIX I\n\n\nSCOPE AND METHODOLOGY\n\nTo accomplish our audit objective, we interviewed Headquarters DOF, DIRM, and OICM\nofficials who were responsible for managing and implementing the NFE project. We also spoke\nwith representatives of the U.S. General Accounting Office to obtain their perspective on the NFE\nproject and its control framework. In addition, we spoke with representatives of Accenture, the\nconsulting firm hired by the FDIC to provide implementation services on the NFE, to become\nfamiliar with Accenture\xe2\x80\x99s control processes for managing and implementing the project. Further,\nwe attended NFE Steering Committee meetings and selected project briefings to observe certain\naspects of the NFE control framework. We also reviewed key documents related to the NFE\ncontrol framework, including the quality management plan, risk management and mitigation\nplans, work breakdown structure, Board of Directors\xe2\x80\x99 case authorizing contract expenditure\nauthority for the NFE, and relevant corporate correspondence.\n\nThe scope of our audit was limited to determining whether the FDIC had established a control\nframework for ensuring the delivery of a quality system that meets corporate requirements and\nuser needs in a timely and cost-effective manner. Our audit did not evaluate the effectiveness of\nthe implementation of internal controls related to the NFE project. Such evaluations will be\nconducted in future audits of the NFE. In addition, our audit did not assess the FDIC\'s\ncompliance with applicable laws and regulations because we did not identify specific laws or\nregulations pertaining to the establishment of project controls.\n\nOur audit included a determination of whether the FDIC had established performance measures to\ncontrol the NFE project, such as status reporting and budget and schedule variance analysis. We\nplan to evaluate the adequacy and effectiveness of NFE performance measures as part of our\nfuture coverage of the NFE. In addition, we corroborated automated information used to support\nour audit findings, conclusions, and recommendations with other sources to ensure they were\nsufficiently reliable. For example, we discussed information contained in project status reports\nand plans with key project personnel. Throughout the audit, the auditors were sensitive to the\npossibility of abuse or illegal acts. Finally, we relied on PMI\'s PMBOK\xc2\xae Guide as the primary\ncriteria for determining whether the FDIC had established a project control framework for the\nNFE.\n\nWe conducted our audit in accordance with Generally Accepted Government Auditing Standards\nduring the period December 2002 through January 2003.\n\n\n\n\n                                                11\n\x0c                            APPENDIX II\n\n\nCORPORATION COMMENTS\n\n\n\n\n                       12\n\x0c     APPENDIX II\n\n\n\n\n13\n\x0c                                                                                                                                                   APPENDIX III\n\n\n\nMANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThis table presents the management responses that have been made on recommendations in our report and the status of recommendations as\nof the date of report issuance. The information in this table is based on management\xe2\x80\x99s written response to our report.\n\n                                                                                                                                                              Open\n Rec.                                                                        Expected              Monetary       Resolveda :     Dispositionedb:              Or\nNumber           Corrective Action: Taken or Planned/Status                Completion Date         Benefits       Yes or No          Yes or No               Closedc\n               DOF has finalized the Steering Committee\n               membership for the implementation phase of\n       1       the NFE project and is in the process of\n               developing the Committee charter.                           March 15, 2003             N/A             YES                NO                   OPEN\n               DOF is in the process of developing a\n               \xe2\x80\x9cproject governance\xe2\x80\x9d document that will\n       2       address the recommendation and identify\n               other relevant project control documents.                    April 15, 2003            N/A             YES                NO                   OPEN\n               The Communications Plan was finalized and                     Completed on\n       3       accepted by FDIC on January 29, 2003.                       January 29, 2003           N/A             YES                YES                CLOSED\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation and the planned corrective action is consistent with the recommendation.\n                (2) Management does not concur with the recommendation but planned alternative action is acceptable to the OIG.\n                (3) Management agrees to the OIG monetary benefits or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\n                management provides an amount.\nb\n    Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through\n     implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\n     recommendation.\nc\n    Once the OIG dispositions the recommendation, it can then be closed.\n\n\n\n\n                                                                                   14\n\x0c                                                                                                             APPENDIX III\n\n\n\n\n                                                                                                                   Open\n Rec.                                                    Expected        Monetary   Resolved:   Dispositioned:       or\nNumber    Corrective Action: Taken or Planned/Status   Completion Date   Benefits   Yes or No     Yes or No        Closed\n         The NFE Team will meet with the NFE risk\n  4      manager and Accenture to develop\n         appropriate measurement criteria.              April 15, 2003     N/A        YES            NO            OPEN\n         The NFE team is developing contingency\n  5      plans for significant risk areas.              April 15, 2003     N/A        YES            NO            OPEN\n\n\n\n\n                                                              15\n\x0c'